Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

Apparently not everyone is happy in Spain about 'UEFI' & 'Secure Boot' protocols. Plus it seems they really do not know what they are talking about when it comes to 'UEFI' or 'Secure Boot' as related to Microsoft Win/8 or doing a Linux install on same hardware;

"Microsoft has recently introduced a new operating system called 'Windows 8'. The main 'innovation' of Windows 8 is that it incorporates a new obstruction mechanism (called 'UEFI Secure Boot') that controls the start-up of the computer, impeding the free execution of any software program competitive with Windows," he said.
One of the options allowed by UEFI was the digital signature of drivers and applications, permitting complete control over the start-up system.
"I will not explain (to) you the signature process but this makes it near impossible to boot any operating system on a computer that does not have Microsoft's permission," Lancho said. "Microsoft, as the sole owner of the private key, which matches up with the public key held in the memory of computers running Windows 8, is the only party that can authorise (sign) the software components in UEFI, the only party that can sign the boot of the operating system, and the only party that can sign the communications between the operating system and UEFI.

"To be able to attain this goal, Microsoft has to use all its influence and power in the market to to force computer and component manufacturers to accept its monopoly in the key generation system."
He said another interesting aspect was that the whole process could not be reproduced using the private user's certificate without Microsoft's approval, as the standard did not force the manufacturer to include an application to change or reset the PK or KEK repositories. Also, for ARM models, this security model could not be disabled by the user.
"With this set-up, the only option left to the consumer who decides to boot another operating system is to contact Microsoft and hope that the company decides to sign his/her system's components that are in charge of the boot and communication with the UEFI services," Lancho said. "This forces the user (to) enter into negotiations with a company that is famous for its monopolistic policies, with all the problems this would entail.
"The resulting situation is a de facto technological jail for computer booting systems thanks to Windows 8, making Microsoft's Windows platform less neutral than ever, rendering consumers' hardware unreachable for products from competitors."
Lancho said the public market would also be affected, since there was an evident legal incompatibility between the UEFI Secure Boot controlled by Microsoft through Windows 8, and the principles of public procurement and the impossibility to apply the principles of interoperability, established in Spain by Royal Decree 4/2010.
"It would also impede the re-use of thousands of licences of earlier versions of Windows and the development of internal technological solutions which would use a dual booting system, limiting the choice to Microsoft products, if they exist, that comply with the law 11/2007, which introduces the principle of technological neutrality when dealing with the public."
Lancho said the complaint claimed that Microsoft had implemented this secret plan for the purpose of acquiring and maintaining an illegal monopoly over the interaction of the operating systems and the x86 line of microprocessors, which it did by delaying the ability of its competitors to access the market or to otherwise develop and manufacture competitive products.

Secret plan?? I have re-read this whole article and wonder who is advising this group. No one is forcing anyone to buy Win/8 nor the hardware. Buyer be aware! Purchase of a 'Secure Boot' enabled Win/8 hardware will not prevent anyone from loading additional software nor prevent dual booting if done properly.

For this lawyer & group, based on their logic then a complaint against any manufacture can/could be made . If you have a smart refrigerator with a OS that will allow the owner to keep a update DB for contents then a user should be able to load any OS or allow multifunctional system to allow the same control. BS!

This attorney even spoke about ARM being locked. Not all Arm devices are locked, just the ones using MS OS or ones that are product specific. Don't buy that hardware period! Personally I have several ARM devices that are not locked and will never be unless I wish to protect the device & system(BTW, a personal choice).

This ambulance chaser is throwing a complaint at MS without thoroughly knowing the facts or understanding the 'UEFI' protocol and 'Secure Boot' subset as pertaining to closed and open source. FUD! Just another money chaser to get something from a deep pocket defendant. I truly hope someone enlightens this lawyer & group.

You tell him he knows nothing about it, then redirect him to the horse's mouth - the very people pushing for it? Restricted boot, as it should be known, gives little advantage to anyone except Microsoft and its cronies while loping off a large chunk of freedom from anyone unluckly enough to buy one of these such systems without realizing what they are in for.

Just as it's nearly impossible to get a machine today that doesn't come pre-infected with Windows, soon you'll be at a loss to find a computer without this 'feature'. Every computer in the room I'm in now (5) had Windows pre-loaded initially, and most still sport their "Windows Approved/Certified" sticker. I've been told you can order a Windows-less system online but I don't think a person should have to have one shipped from three states over simply because the ones in the local store are all locked up with Windows. Adding UEFI will put another layer of work to done before a system is usable for a linux user. First unlock the UEFI, if it will even be possible, which remains to be seen:

Quote:

While the UEFI specification does not recommend a specific implementation, Microsoft has a preferred solution (outlined on this blog post) which does not give the user full control over what software that is approved to run on their PC. This is the real issue for users.

(http://blog.canonical.com/2011/10/28...pact-on-linux/)
then wipe off Windows, then get down to installing linux. Just like the new-computer-without-Windows is a rare animal today, the new-computer-with-removable-Windows will be extinct tomarrow. And you'll pay for it too, to be sure. Just as we pay for copies of Windows that we never use soon we could be paying for a boot setup that will be disabled in short order (again, provided that's even possible).

UEFI makes little sense in a linux environment:

Quote:

When booting, this software starts a chain which, using a public key cryptography-based authentication protocol, can check your operating system's kernel and other components to make sure they have not been modified in unauthorized ways. If the components fail the check, then the computer won't boot.

(http://www.fsf.org/campaigns/secure-...estricted-boot)
According to the time stamp on the file, I last updated my kernel a few weeks ago. Many, if not most, linux users are always updating and changing their systems. So I'll be ever-so-helpfully locked out from booting my system next kernel update?

Boot malware had its hayday back when the 80286 processor was cutting edge. Unless I'm missing a sudden flood of such security threats that haven't appeared in the news, UEFI is attempting to solve a problem that doesn't exist and hasn't existed for a long time. Oddly enough, I'm sure Windows 8 and whatever Windows after that which will make use of restricted boot will grant Administrator level access to nearly anyone and everyone like Windows has done since its beginnings. So much for security. Recall WGA and signed DLL's and surely someone will find a way around restricted boot.

You say buyer beware but in a monoply there is no other choice: restricted boot further cements that monopoly while disguised as a security feature. Thus, it becomes not what you'll buy but whether a linux user will be able to buy at all. The lawyer is right to call out Microsoft on its latest travesties.

The reference wiki does provide useful information along with 'UEFI Home'. Microsoft does not control either. If you read some of the information you would know that a Windows certified Win/8 label will allow a user to modify or disable 'Secure Boot'. So where is the problem? Possibly just people who do not understand or just spew 'FUD' or speculation. You can enter the 'UEFI' disable 'Secure Boot' and then proceed to install other OS.

If you wish to use 'UEFI' then you must provide 'KEK' and proper boot methodology. 'UEFI' is not extending or allowing a Microsoft monopoly. Microsoft can use 'UEFI' and 'Secure Boot' protocol (which can be & must be allowed to disable 'Secure Boot') without the fear of a user's system being violated.

I did not say "You say buyer beware" but "Buyer be aware"! Big difference in the two statements! Please quote properly and accurately.

A change in the way machines are controlled is long over due. BIOS has been hacked or enhanced so much and 'UEFI' protocol does provide users with better control of their systems without BIOS restrictions or limitation(s) for future designs.

I fully expect that the market will take its course, and do so rather quickly and punitively...

You won't be able to sell a computer with that ROM installed in it, to any other party ...

... and you won't be able to install Windows-8 (as if you actually wanted to) on a machine that does not ...

... and you won't be able to upgrade the Windows installation (again, as if you actually wanted to) on perhaps thousands of existing computers, either.

This entire concept only makes sense to a company that used to think that it had a monopoly and that it therefore could call all of the shots. They're finding out very, very quickly that they do not. Windows-8 is not being accepted ... fact is, the most widely installed Windows version is still XP ... and Windows Surface is not being accepted for tablets, no matter how foolish Microsoft tries to make itself appear by aping Apple stores in shopping malls.

It's ironic to watch Microsoft going through a "Wang experience." Going through the same thing that Lou Gertsner rescued IBM from, as recounted in his excellent book, Who Says Elephants Can't Dance? At one time, Wang Corporation had a 90% market share in dedicated word-processing machines. Even IBM's DisplayWriter couldn't touch them. Every law-office in the world paid thousands of dollars a month in rent to Wang. They laughed derisively at the IBM PC ... that little toy ...

There is a need for secure booting. But it has to involve a user-installable key and cannot involve any motherboard redesigns. It also can't involve a cryptographic key that is owned by a single corporation. The market's dubious demand for this feature is not met by this half-baked incarnation, and Microsoft will soon find itself forced – not by the courts, but by the market – for all of the bullet-pointed reasons I've listed above.

If Microsoft Corporation had any sense whatsoever, they would stop thinking of themselves as "the Windows company," and exercise the technology base that they already have, to publish Microsoft Office .. the full thing, the real thing .. to every existing operating system platform available: Windows, OS/X, Linux. Office is their standard-bearer now, not Windows.

Gates read the writing on the wall, and promptly retired. Ballmer doesn't have the smarts to do that, and their board doesn't have the smarts to retire him.

That depends how the OEM implemented secure boot. I read how others were unable to toggle it on or off.

Secure boot is a good thing if a person only intents to use windows only, but others want to explore and use other operation systems and sometimes secure boot and the OEMs don't play nice.

IMHO, I don't like secure boot and I hope it gets taken out in the future...

that and if you wish to use secure boot, not all together a bad idea, you are force to BUY a key from Microsoft in order to run any OS other then MS Windows.

sorry, but since when did MS own the hardware you and I paid for with our money? That is the real problem with this entire mess. MS has been trying to push this since winXP beta days. now they are succeeding.

That depends how the OEM implemented secure boot. I read how others were unable to toggle it on or off.

Secure boot is a good thing if a person only intents to use windows only, but others want to explore and use other operation systems and sometimes secure boot and the OEMs don't play nice.

IMHO, I don't like secure boot and I hope it gets taken out in the future...

Actuallity is that 'Secure Boot' must be able to be disabled in order for certification of Windows/8. To use 'UEFI' & 'Secure Boot' then the hardware firmware must be certified from the OS by preload of the KEK and proper load methology;

In addition to standard architecture-specific device drivers, the EFI specification provides for a processor-independent device driver environment, called EFI Byte Code or EBC. System firmware is required by the UEFI specification to carry an interpreter for any EBC images that reside in or are loaded into the environment. In that sense, EBC is similar to Open Firmware, the hardware-independent firmware used in PowerPC-based Apple Macintosh and Sun MicrosystemsSPARC computers, among others.
Some architecture-specific (non-EBC) EFI device driver types can have interfaces for use from the operating system. This allows the OS to rely on EFI for basic graphics and network functions until OS specific drivers are loaded.

Systems with 'UEFI' will have some firmware preloaded via manufactures support for their hardware Any OS specific firmware will require the OS to load that firmware and provide certified keys within the VRAM.

Quote:

UEFI requires the firmware and operating system loader to be size-matched; i.e. a 64-bit UEFI implementation can only load a 64-bit UEFI OS boot loader. After the system transitions from "Boot Services" to "Runtime Services," the operating system kernel takes over. At this point, the kernel can change processor modes if it desires, but this bars usage of runtime services[18] (unless the kernel switches back again). Presently, the only operating system that supports running a kernel that is not size-matched to the firmware is Mac OS X.

If a user wishes to use 'UEFI' with other OS than Windows/8, that user will have two ways to get this functional. One way is to set Legacy mode for 'UEFI' then load the other OS. The other way is to certify other OS via KEK then setup proper loader methodology for the other OS so you can get OS to load & run.

If you have the manufactures manual or data you can follow directions as to how to implement installation. MB manufactures do provide methods to enable/disable the 'UEFI Secure Boot' via MB 'UEFI' interface.

Personally I feel that 'UEFI' is long over due so as to allow future designs and that the means to provide firmware security will enhance operations of machines. 'UEFI' in some form will be around for a longer time than the original 'BIOS' so as to allow our designs not to be hampered or limited.